PACKET RAT: If they take your personal info but can't find it, do you really exist?

By R. Fink

Oct 21, 2005

The Rat

Michael J. Bechetti

It's bad enough when an IT project goes to heck in a handbasket. But there's a special sort of sinking feeling associated with an IT project that fails spectacularly in full view of lawyers and Congress.

The Rat suspects some of the folks at the Transportation Security Administration are familiar with that feeling, now that they've had to tell the world they're unable to query the database they created for the Secure Flight data-mining test performed last year.

The database, assembled from June 2004 airline passenger records and millions of records from commercial data brokers'including credit reports and other personal data'was already plagued by bad karma, since TSA had told Congress it would not use commercial data sources for the test.

But it did, and in the process violated the Privacy Act a hundred million times or so'once for each record it bought from private sources without properly disclosing the collection. That infuriated a couple of senators and fired up advocacy groups such as the Electronic Frontier Foundation. And while congressional oversight usually results in a strongly worded letter, there is no fury greater than a bunch of geeks, libertarians and lawyers spurned.

Once word got out that TSA had gone ahead and bought the commercial data, people started filing Freedom of Information Act requests to find out what data TSA had collected on them.

'And here's where things get really embarrassing,' the Rat recounted to his agency's database administrator. 'TSA said they couldn't provide the data, because their database doesn't work. They claimed it wasn't designed to allow them to run queries against individual names to get that information.'

The DBA spewed coffee through his nose. 'You mean they built a data warehouse to cross-reference information about individuals, but they can't actually run queries about the individuals they were trying to cross-reference?'

He shook his head vigorously. 'Either they're lying, or they never actually indexed their data. Or maybe they're unfamiliar with Structured Query Language's syntax for 'Get All for Name Equals.' '

The Rat nodded. 'Maybe they bought the data and realized they had no way to normalize it with the airline records? Still, you'd think they could do queries on the commercial data on its own. Unless, of course, they're trying to avoid the budgetary impact of all that data sifting.'

The whiskered one shrugged. 'Oh, and did I mention that they claim they've already deleted some of the records?'

'Actually, that might be a bad idea,' the cyberrodent said with a smile. 'The original passengers who filed FOIA requests were all from Alaska. And I don't think they're amused. But anyway, now the EFF has thousands of people submitting more FOIA requests.

'That, and they're trying to reverse-engineer the Secure Flight database so they can figure out why TSA can't actually use it.'

'That should be difficult at best,' the DBA said. 'There are a limited number of ways to do things right, but an infinite number of ways to screw things up.'

The Packet Rat once managed networks but now spends his time ferreting out bad packets in cyberspace. E-mail him atrat@postnewsweektech.com.